Upload
khangminh22
View
1
Download
0
Embed Size (px)
Citation preview
UNDERSTANDING ISO 27001
TABLE OF CONTENTS
WHAT IS ISO 27001? 4
WHY ISO 27001? 5
ISO 27001 VERSUS ISO 27002 5
CONTROLS CROSSWALK 7
ENTERPRISE APPLICABILITY 7
ISO 27001:2013 FRAMEWORK 7
MANDATORY CONTROLS (3.0-10.0) 7
TERMS & DEFINITIONS (3.0) 7
CONTEXT OF THE ORGANIZATION (4.0) 8
LEADERSHIP (5.0) 8
PLANNING (6.0) 8
SUPPORT (7.0) 9
OPERATION (8.0) 9
PERFORMANCE EVALUATION (9.0) 9
IMPROVEMENT REQUIREMENTS (10.0) 10
ANNEX A CONTROLS 10
HOW IS ISO 27001 IMPLEMENTED? 11
THE PDCA MODEL 11
UNDERSTANDING ISO 27001
HOW IS ISO 27001 CERTIFICATE OBTAINED? 12
CERTIFICATION MODEL 13
CONFORMANCE MAINTENANCE 13
PROCESS VERSUS PRODUCT 14
CONCLUSION 15
UNDERSTANDING ISO 27001
WHAT IS ISO 27001?
ISO 27001 is the only internationally recognized framework of controls codifying the audit
requirements for an Information Security Management System (ISMS).
This Standard was the first of the ISO270## series and first published by the International
Organization for Standardization, or ISO and the International Electrotechnical Commission
(IEC). Its purpose is to develop, maintain and promote standards in the fields of Information
Technology (IT) and Information and Communications Technology (ICT). The first issuance of
the standard was published in November 2005, and revised by ISO/IEC periodically.
The ISO 27001 Standard’s controls are high-level, broad in scope, and conceptual in nature.
This approach allows it to be applied across multiple types of enterprises, organizations and
applications. ISO 27001 is the only information security “standard” devoted to information
security management in a field generally governed by specific operational audit criteria.
While its genesis was information technology, ISO 27001 covers all information security and
includes clauses and controls which drive consideration of physical security, human resources,
awareness training, suppliers/vendors and more.
As a standard that is primarily conceptual, ISO 27001 is not:
• A technical standard
• Product or technology driven
• An equipment evaluation methodology
ISO 27001 is, however:
• A comprehensive baseline of information security management controls that all
information security programs shall address in some manner. This, in essence, makes
ISO 27001 internationally sanctioned “due diligence” that works well with other
frameworks like SOC2, NIST, HIPAA, Six Sigma’s DMAIC method, and the family of
other ISO Standards;
• A driver of an annual assessment of information security risks; and
• A driver of information security governance, in which leadership of all levels of the
areas in scope within the organization, participate. This ensures an understanding and
decision-making participation from leadership in the overall reduction of information
security risks.
UNDERSTANDING ISO 27001
WHY ISO 27001?
The information security field has traditionally been based on best practices and guidelines. While this cumulative wisdom of the ages is valid, it is also subject to various interpretations and implementations; this is not always consistent or harmonious. Furthermore, without the risk justification required by ISO 27001, “best practice” is in reality “best guess”. This makes a security program devoid of the underlying analysis that makes control implementation justifiable, defensible and auditable. ISO 27001 offers the following benefits:
• The only internationally recognized management system that can enhance information security interoperability and trust with trading partners;
• A yardstick to evaluate information security program effectiveness;
• A vehicle to certify “due diligence”;
• An umbrella under which multiple data protection regulatory compliances may be managed;
• A repeatable risk-based approach to security and information assets;
• Understand, align and operationalize business objectives in regards to information security; and
• Certification by an impartial third-party gives assurance in the marketplace that those organizations that are certified, have met the stated criteria within the certificate’s area of scope and the statement of applicability to the controls within the standard.
Reasons to pursue an ISO 27001 based Information Security Program also vary:
• For some industries, an ISO 27001 certified operational area may become a de-facto requirement;
• For organizations subject to government regulation, ISO 27001 may increase efficiency and eliminate redundancy in complying with multiple information protection regulations through centralized management;
• ISO 27001 certification creates and improves processes that make it more efficient to make money;
• For data-centric organizations, customer perception of an ISO 27001 certified operational area may offer a marketing advantage; and
• An ISO 27001 certified operational area provides a high degree of defensibility both legally and strategically.
ISO 27001 VERSUS ISO 27002
Both standards serve distinct purposes, hence it is important to understand the differences
between ISO 27001 and ISO 27002. The biggest difference is that organizations cannot certify
to ISO 27002 as it does not contain the control clauses for formation of an Information Security
Management System (ISMS). ISO 27002 can serve as an implementation guide for the Annex
UNDERSTANDING ISO 27001
A Controls of ISO 27001. However, ISO 27002 does not use the control language that mandates
conformity.
The ISO 27002 International Standard is designed for organizations to use as a reference for
selecting controls within the process of implementing an Information Security Management
System (ISMS) based on ISO/IEC 27001 or as a guidance document for organizations
implementing commonly accepted information security controls. This standard is also
intended for use in developing industry- and organization-specific information security
management guidelines, taking into consideration their specific information security risk
environment(s).
Organizations of all types and sizes (including public and private sector, commercial and non-
profits, handle information, tangible and intangible, in many formats. The ISO 27001 and/or
ISO 27002 can help define controls that assist in risk mitigation to protect the organization’s
information assets.
ISO 27001 ISO 27002
The certifiable standard which has
mandatory clauses and a framework of
controls that drives the management and
mitigation of information security risks
through policies, standards, and education
the produce repeatable and auditable
requirements for the protection of the
organization’s information assets
An implementation guide based upon best
practice suggestions (not a certifiable
standard)
A list of management controls an
organization shall, or is required to, address
A list of operational controls an
organization should consider when
implementing ISO 27001
Used as a means to audit and certify an
organization’s Information Security
Management System
Used as a means to mature or implement an
ISO 27001-compliant information security
program
UNDERSTANDING ISO 27001
CONTROLS CROSSWALK
ISO 27001 provides the governance umbrella under which multiple data protection regulatory compliances may be managed. Further other programs and regulatory controls cross over to a control area within ISO 27001 and documentation and practices can be made to conform to this broad spectrum.
ENTERPRISE APPLICABILITY
ISO 27001 defines a management system as organizational structure that includes policies,
planning activities, responsibilities, practices, procedures, processes, and resources. ISO
27001 further defines an ISMS as that part of the overall management system, based on a risk
approach, to establish, implement, operate, monitor, review, maintain and improve
information security. This comprehensiveness causes an ISO 27001 ISMS to potentially
interact with multiple enterprise departments and programs such as:
• Human Resources (7.0, A.7) • Suppliers / Procurement (A.15)
• Legal / Compliance (A.18) • Business Continuity (A.17)
• Audit (9.0, 10.0) • Operations (A.12)
• Facilities (A.11) • Physical Security (A.11)
ISO 27001:2013 FRAMEWORK
The ISO 27001 control clauses, control areas, control objectives and key control attributes
are summarized below.
MANDATORY CONTROLS (3.0-10.0)
The controls detailed within ISO 27001 sections 3.0 – 10.0 are required for conformance to this
standard, and are considered the “framework” or the tenets that the ISMS is built upon.
TERMS & DEFINITIONS (3.0)
Terms and definitions ensure language used in the program is standard and consistent, this
control requires a glossary of terms and definitions be created for use by the organization.
UNDERSTANDING ISO 27001
CONTEXT OF THE ORGANIZATION (4.0)
This clause addresses establishing the context of the ISMS within the enterprise or entire
organization. It calls for the identification of organizational objectives, external and internal
issues, and interested parties, both external and internal, in order to define the scope and
support of the ISMS.
LEADERSHIP (5.0)
The leadership clause places requirements on what the standard refers to as “top
management” – the person or group of people, who directs and controls the organization at
the highest level, to demonstrate leadership and commitment to the ISMS. A specific
responsibility includes establishing the Information Security Policy. Further, this clause places
the requirements for top management to assign information security responsibilities and
authority. The standard focuses on the establishment and concept of governance, the
involvement of the executive team and other top leadership, in the process and ensures
documentation of their efforts.
PLANNING (6.0)
This clause calls for reference to the organizational context and interested parties in
establishing the ISMS to determine the risk and opportunities that need to be addressed, with
the intended result to be:
• Ensure the ISMS can achieve its intended outcomes;
• Prevent or reduce undesired effects;
• Achieve continuous improvement;
• Assure that the risk management process is repeatable;
This is can be accomplished through the assessment of information security risk (risk
assessment, risk treatment plan and the Statement of Applicability (SOA – The in-scope
selection of controls from Annex A). In recent years, ISO 27001 has widened the use of risk
assessment methodologies in order to identify the risks, threats and vulnerabilities that exist
in regards to any organizations information assets. Following the risk assessment, a risk
treatment plan, which includes the assignment of risk owners and the determination of
mitigating controls, is to be carried out.
UNDERSTANDING ISO 27001
Further, through this clause, the organization is to establish information security objectives
that support the business objective of the relevant to the business areas (functions) and levels
of management of the organization.
SUPPORT (7.0)
The support clause focuses the requirement of an organization to determine and provide the
necessary resources to establish, implement, maintain and continually improve the ISMS. This
is met through establishing:
• Competence – necessary skills and knowledge to see that information security
activities and actions can in fact be implemented and acted upon
• Awareness – that policies and activities are understood, contributions to the ISMS
can occur, and the implications of nonconformance are understood
• Communication – external and internal relevant communications are understood
• Documentation – required documentation from ISO 27001 is created and present
as well as all other relevant documentation that the organization deems necessary
for the effectiveness of the ISMS
OPERATION (8.0)
Clause 8.0 aims at the organizations ability to execute the plans and processes that are
subject of the previous clauses, which include:
• Establishing the processes needed for the organization to meet its information
security requirements and implement actions needed to address the information
security risk and opportunities
• Conduct regular information security risk assessments in a repeatable manner
• Implement assign owners, and document progress of the information security
risk treatment plan
PERFORMANCE EVALUATION (9.0)
This clause focuses on how the organization is assessing the performance and effectiveness
of the ISMS by identifying how the organization will monitor, measure, analyze and evaluate
its ISMS.
UNDERSTANDING ISO 27001
Additionally, this clause identifies the need for an internal audit. The audit program needs to
be capable of determining if the ISMS conforms to the requirements of ISO 27001 and
determining if the ISMS has been implemented effectively or not, yet be separate of its
operation.
Finally, the performance evaluation of the ISMS shall include a review by executive
management at planned intervals. Executive management review includes establishing the
review process, reviewing the performance, metrics of performance and objectives of the
ISMS, generating review outputs and recording such reviews.
IMPROVEMENT REQUIREMENTS (10.0)
ISO 27001 sets the requirement that efforts shall be made to continually improve, identify
opportunities for improvement, taking preventive actions and also to take corrective actions
when nonconformities of controls occur. Organizations are to identify and perform a root
cause analysis and remediate nonconformities against the standard. The cause of
nonconformities is to be identified, corrected, and evaluated.
Finally, an organization shall work to improve and enhance the overall performance of the
ISMS. This is done through a constant understanding of the context of the organization and
the requirements of interested parties to ensure the suitability, adequacy, and effectiveness
of the ISMS.
ANNEX A CONTROLS
The controls detailed within ISO 27001 Annex. ISO 27001 requires that Annex A controls be
addressed if in alignment with the organization’s business practices. The business-friendly
stance of ISO 27001 allows for exclusion based on organizational business practices. These
controls are identified in the Statement of Applicability and are also considered mandatory
unless not in alignment with the business model. Annex A controls not implemented must
have documented justification that will need to be approved and audited against by the
certifying body.
UNDERSTANDING ISO 27001
Annex A control areas include:
• Information Security Policies (A.5) • Operations Security (A.12)
• Organization of Information Security (A.6)
• Communication Security (A.13)
• Human Resource Security (A.7) • Systems Acquisition,
Development and Maintenance (A14)
• Asset Management (A.8) • Supplier Relationships
• Access Control (A.9) • Incident Management (A.16)
• Cryptography (A.10) • Information Security Aspects
of Business Continuity Management (A.17)
• Physical and Environmental Security (A.11)
• Compliance (A.18)
HOW IS ISO 27001 IMPLEMENTED?
ISO 27001 is implemented through the creation and maintenance of an ISMS chartered with
establishing, implementing, operating, monitoring, reviewing, maintaining and improving an
organization’s information security.
THE PDCA MODEL
ISO 27001 allows for the adoption of an organization’s preferred continuous improvement
methodology. The most common methodology for implementation and continuous
improvement is the Plan, Do, Check, Act (PDCA) model. The PDCA model is common to other
management systems such as those defined within ISO 9001 (Quality) and ISO 14001
(Environment) and is also consistent with Organization for Economic Co-operation and
Development’s (OEDC) guidelines.
UNDERSTANDING ISO 27001
Plan Establish the ISMS
Do Implement and operate the ISMS
Check Monitor and review the ISMS
Act Maintain and improve the ISMS
ISMS is a strategic initiative, and this iterative level one process directly maps to the section
4.0 – 10.0 controls.
HOW IS ISO 27001 CERTIFICATE OBTAINED?
ISO/IEC does not participate in conformance audit activities. However, its standards and
guides standardize conformity of assessment worldwide through independent third-party
auditors.
Plan
Do
Check
Act
UNDERSTANDING ISO 27001
Certifies Certifies
Accredits
Audits
CERTIFICATION MODEL
The certification model starts with the national accreditation board of a respective country.
Examples are UKAS in the United Kingdom, and ANAB in the United States. These respective
national accreditation boards accredit individual registrars or registration firms as a
certification body, authorized and competent to audit against ISO 27001 requirements.
The certification body will audit an organization against ISO 27001, potentially leading to ISO
27001 Certification. Once certified, as conformant to ISO 27001, the ISMS become registered,
and under registrar/certification body governance. The validity of the certification and
registration is derived from the national accreditation board of the respective country.
CONFORMANCE MAINTENANCE
The accredited certification body that issued the original Certificate of Conformance and
maintains the registration must approve changes to the security infrastructure defined within
the Scope of Registration. Minor changes may be submitted in writing, furnishing the
evaluator with enough detail to determine impact. Major changes may require re-auditing.
Surveillance visits are performed annually, and a re-certification audit is required every three
years.
Accrediation Body
Certification Body
Certified Auditor
Certified
ISMS
UNDERSTANDING ISO 27001
PROCESS VERSUS PRODUCT
There is confusion in the industry regarding both the approach and level of effort required to
implement either an ISO 27002 based information security program or an ISO 27001 certified
operational area. Many organizations simply wish to start with a “standards based”
information security infrastructure, unable to immediately justify the extra effort required for
certification. This “standards based” infrastructure will nevertheless leave them well
positioned to proceed toward certification should a business justification emerge. Other
organizations are misled into believing that the purchase of a “product” will automatically
make them conformant.
Toolkit Approach
• Can produce a set of ISO 27001 pre-written “policies” or “direction” which
addresses risks or perceived risks in a way that may not be easily adaptable by the
organization;
• Cannot cover the ISO 27001 controls addressable by “actions” since actions are
executed uniquely in each environment;
• Cannot assign a defensible risk-based justification unless coupled with a risk
assessment process;
• May create a false sense of security for organizations believing possession of
“security policies” is all that is required for conformance; and
• Cannot speak to the management of the controls required by ISO 27001.
Process Approach
• May utilize a toolkit as a starting point of discussion but uses the risk assessment
to drive the language/actions to finalize policies;
• Considers organizational behavior to gain buy-in at all levels;
• Considers the organizations legal and regulatory environment;
• Acknowledges and works within the organizations culture and values;
• Produces risk justified security requirements, processes, roles, and activities
required to justify the selection of ISO 27001 controls; and
• Is both legally and strategically defensible.
UNDERSTANDING ISO 27001
CONCLUSION
• ISO 27002 is the implementers’ guide, suggesting what should be done based upon
internationally recognized best practice.
• An information security program oversees the organization’s information
protection initiative, and may have responsibility over multiple operational areas.
• ISO 27001 is the auditors’ guide specifying what shall be done based upon quality
management principles inherent to a management system:
• Operational areas serve as the basis of establishing the scope of an ISO 27001
certification; and
• Scope of a NIST, HIPAA or SOC2 or other information security program and an
ISO 27001 operational area do not have to be the same.
There is an ever-increasing demand for information security certification. This phenomenon
will be driven by many factors, including:
• Regulatory requirements, such as GDPR, HIPAA, GLBA and SOX which require
information security to be managed;
• Marketing incentives;
• Financial incentives, such as insurance premium reductions; and
• Corporate and legal “due diligence” concerns.
Since ISO 27001’s ISO/IEC committee has security practitioners from various types of
organizations who regularly review and update the standard, adoption of ISO 27001 helps all
types of organizations keep their program relevant to changes to the current information
security landscape. The flexibility to conform to the controls based on each organization’s
unique practices allows the adoption of this standard by all and additionally forms the basis
and building blocks for easy expansion to implementation of other regulatory controls.
UNDERSTANDING ISO 27001
FOR MORE
INFORMATION ABOUT
GREYCASTLE
SECURITY AND ITS
CAPABILITIES
www.greycastlesecurity.com
518.274.7233